Pre-processing of NAT addresses

ABSTRACT

A method for packet-oriented transmission of speech, audio, video and/or useful data between an internal and a public data network by means of a pre-reservation of NAT addresses. A pre-NAT address is allocated to the IP address of an internal computer by an NAT address server. The relevant allocation data set is available in a NAT host  200  which acts as a gateway between the internal and the public data network; whereby single addresses (pre-NAT addresses) are provided for transparent use of the data packet in the internal and public network when the information on the origin or destination in an IP Header or in the protocol data, in addition to the information on origin or destination in said header, is modi.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is the US National Stage of International ApplicationNo. PCT/DE02/02840, filed Aug. 1, 2002 and claims the benefit thereof.The International Application claim the benefits of German applicationNo. 10142500.7 filed Aug. 30, 2001, both of the applications areincorporated by reference herein in their entirety.

FIELD OF INVENTION

The invention relates to a method for packet-oriented transmission ofdata between an internal network and a public data network, and to anarrangement for carrying out such a method.

BACKGROUND OF INVENTION

Methods of the type in question are nowadays widely used for thetransmission of speech, audio, video and/or useful data across networkboundaries, e.g. between internal and public data networks. During thetransmission of data over IP networks, problems repeatedly arise when anaddress translation is performed at a network boundary using NAT(Network Address Translation). For various reasons, NAT is of crucialimportance for Internet technology here. In addition to providing loaddistribution in parallel processing, various types of access securityprovisions in the sense of a firewall as well as fault tolerance andhigh availability are supported. Basic network administration functionsare also simplified.

Since the address space provided at the time the Internet was foundedwill no longer suffice for the assignment of IP (IP: Internet Protocol)addresses in the foreseeable future, and especially since the expansionof internal and highly complex data networks requires more and more IPaddresses, NAT is however used above all to hide internally used IPaddresses from the outside. Firstly this makes it easier to manageinternal networks, and secondly it saves on costs, since fewerchargeable public IP addresses need be used externally than are actuallyrequired internally. In principle it is theoretically possible here tomap an internal network of up to 60,000 computers to a single public IPaddress by varying the port address of the public IP address.

With NAT, when an IP data packet is sent, first of all the IP header ofthis packet is exchanged. The internal IP address including port numberis replaced by a public IP address with a different port number. An NAThost stores the mapping of internal IP address to the public (external)IP address. If the NAT host then receives an IP data packet, it maps thepublic (external) IP address back onto the internal IP address. The NAThost should be understood here as a computer linking two networkstogether on which appropriate software (NAT engine) handles the addresstranslation.

It is however a problem that some IP protocols also send the internal IPaddresses again as protocol data (e.g. with Voice-over-IP protocols). Atthe NAT host only the IP headers of a data packet are exchanged, theprotocol data itself is not accessed, since it cannot be resolved by theNAT host. The addressed external computer in the public network nowsends its reply, not to the public address in the IP header of the datapacket, but to the internal IP address which the service used (e.g.Voice-over-IP) has read out from the protocol data. However, theoriginal sender cannot be reached under this address. The reply istherefore sent either to an unknown IP address or to a different publiccomputer which is unable to do anything with this IP data packet.

The problem described here has hitherto not been solved. There have beenisolated attempts to use directly on the NAT host a protocol analyzerwhich is able to unpack certain protocols and also, in addition to theIP header, to change here the protocol data in accordance with the NATmapping. However, this regular access to protocol data together with itsanalysis would slow down the data traffic considerably. Moreover,depending on the protocol type used, it might prove necessary to use notjust one, but several protocol analyzers. The problem could be solved infuture by IPv6 (Internet Protocol Version 6—with extended IP addressspace), but IPv6 will not be implemented across the board for a longtime to come. Owing to the greatly increased interest of companies inInternet telephony and in exchanging image and useful data, however, aspeedy and reliable solution of the problem outlined is required.

SUMMARY OF INVENTION

The object of the present invention is to provide a method which, whileretaining existing NAT configurations, enables the establishment oftransparent connections for more complex protocols (speech, audio, videoand/or useful data) via an NAT host.

It is a further object of the present invention to provide anarrangement for carrying out the method according to the invention.

One central idea of the method according to the invention is to supporton the one side more complex protocols (e.g. Voice-over-IP) to anunchanged extent in such a way that the problems with the addressing ofcomputers in the public IP network which arise solely as a result ofusing NAT are solved. This is enabled in the packet-orientedtransmission of speech, audio, video and/or useful data between aninternal and a public data network by a pre-reservation of NATaddresses, whereby first of all a request of an internal computer issent to an NAT address server to provide a pre-NAT address for an IPaddress of the internal computer. Said pre-NAT address for the IPaddress of the internal computer is allocated by the NAT address server.The current allocation data set between the pre-NAT address and the IPaddress of the internal computer is finally sent by the NAT addressserver to an NAT host. The current allocation data set for modifying theorigin or destination specifications in the header of a data packet (IPheader) is therefore present at the NAT host acting as the gatewaybetween the internal and the public data network. In the next step, thepre-NAT address of the internal computer is sent from the NAT addressserver to the internal computer. At the computer, said pre-NAT addressis introduced as the sender address into the protocol data of a datapacket by the respective service (e.g. Voice-over-IP). A data packet, inparticular with Voice-over-IP protocol data which now contains thepre-NAT address as the Voice-over-IP address, is then sent by theinternal computer to the NAT host. On said host, in the next step anorigin specification in the header of the data packet (IP header), whichspecification contains the IP address of the internal computer, can beexchanged for the allocated pre-NAT address. As a result, standardizedaddresses (pre-NAT addresses) are present in both the protocol data ofthe data packet and in the origin specification in the header of saidpacket for transparent use of the data packet in both the internal andthe public data network. Finally, the data packet is forwarded by theNAT host to an externally addressed computer.

The advantage of this solution is that the NAT host no longer has toconcern itself with the protocol data. The internal computer(s)(clients) can contact the NAT server in order to discover their futureNAT address already in advance. This is taken into account whenassembling the protocol data. The external computer in the public datanetwork now receives in the protocol data the correct reply address,which then goes to the NAT host and the latter then can deliver thereply correctly to the internal computer. The workload on the NAT hostis also reduced since it now no longer itself has to unpack the datapacket in accordance with the protocol used, but rather only exchangesthe origin specification in the header of the data packet (IP header) asbefore.

Advantageous developments of the method according to the invention aredisclosed in subclaims 2 and 3.

The data packet with the pre-NAT address from the externally addressedcomputer is preferably received by the NAT host. In the next step, usingthe current allocation data set, said host can exchange [lacuna], byexchanging a destination specification in the header of the data packet(IP header), which specification corresponds to the pre-NAT address, forthe allocated IP address of the internal computer. In the next step, thedata packet is then forwarded by the NAT host to the internallyaddressed computer. A particular advantage is conferred by the fact thatthe usual exchange of destination specification in the header of thedata packet (IP header) by the externally addressed computer can beretained unchanged in the conventional framework. By virtue of the factthat transparent addresses are however now present in the destinationspecification in the header of the data packet (IP header) and in theprotocol data transported with said data packet, misrouting of the datapacket is precluded.

The NAT host preferably requests the current allocation data set fromthe NAT address server before the actual exchange of the destinationspecification in the header of the data packet (IP header) of theexternal computer is performed. A duplicated assignment of pre-NATaddresses to data packets that are not the result of a request from theinternal network into the public network is consequently avoided. Theexchange of the destination specification in the header of a data packet(IP header) sent from the public network into the internal network canthen be performed taking into account the current data set of alreadyassigned IP addresses.

The object of the present invention is furthermore achieved by anarrangement for carrying out the method according to the invention.

In this arrangement, in addition to an NAT host which connects at leastone internal data network to a public data network, and at least oneinternal computer which communicates or can communicate with a publiccomputer via the NAT host, an NAT address server is provided which isconnected, or can establish a connection, to the internal computer andto the NAT host, and which serves to determine and allocate pre-NATaddresses to the IP address of an internal computer.

The determination of pre-NAT addresses includes here the management(adding, updating, deleting) of already assigned mappings in order toavoid duplicated assignment of pre-NAT addresses to IP addresses ofinternal computers. An address (pre-NAT address, IP address) is alwaysunderstood here to refer to the IP number (e.g. 141.23.209.105) togetherwith a port number (e.g. 1245). Since the IP number of the NAT host isalways the same, the mapping of the pre-NAT address is resolved via theassignment of a port number to the IP number of the NAT host, whichfinally references the IP address (IP number and port number) of theinternal computer.

Advantageous developments of the arrangement according to the inventionare disclosed in claims 5 and 6.

In this arrangement the NAT address server preferably runs together withthe NAT host on the same computer. The NAT host can handle here thefunctionalities of a gatekeeper, such as address translation, accesscontrol, bandwidth control, etc. of multimedia services. As a result ofthe close linking of the NAT host and its special services to the NATaddress server on the same computer, in particular communicationprotocols over the data network are avoided. The NAT address server cantherefore quickly ascertain used or free IP_ addresses from the NAT hostbefore mapping to IP addresses of the internal computer is performed.

It is also especially advantageous if standardized protocols, inparticular SIP (Session Initiation Protocol) or H.323, are used totransmit speech, audio and/or video data packets over networkconnections. In conjunction with the arrangement according to theinvention, said protocols offer mechanisms for call forwarding, callsignaling, inclusion of supporting data, media control and supplementaryservices. H.323 is a proven protocol here which is used in particularthanks to its user friendliness, reliability and interoperability withPSTN (Public Switched Telephone Network). SIP is a new protocol whichguarantees scalability, flexibility and easy implementation when settingup complex systems.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is explained in greater detail below with reference to anexemplary embodiment, where:

FIG. 1 shows packet-oriented transmission of speech, audio, video and/oruseful data between an internal A and a public data network B accordingto the prior art, and

FIG. 2 shows an arrangement according to the invention for thepacket-oriented transmission of speech, audio, video and/or useful databetween an internal A and a public data network B.

DETAILLED DESCRIPTION OF INVENTION

To elucidate the problem solved by the invention, FIG. 1 illustrates theproblem once again in an arrangement according to the prior art. In thisarrangement, an NAT host 100 having the IP number 145.30.62.1 connectsan internal A to a public data network B. A computer 120 having the IPnumber 141.23.209.105 is connected via the NAT host 100 to a furthercomputer 130 having the IP number 192.178.63.4. When communication isestablished between the computers 120, 130, first of all a data packet160 is sent from the internal computer 120 to the NAT host 100 over anetwork connection 142. The IP address (comprising IP number and portnumber) of the computer 120, namely 141.23.209.105:1245, is used as theorigin specification 170 of the data packet. The protocol data includesthe Voice-over-IP address 180, which is identical to the IP address ofthe computer 120, used by the specific service running on the computer120.

On the NAT host 100, the origin specification of the data packet 160,that is to say the IP address 141.23.209.105:1245 of the computer 120,is now replaced by the publicly visible IP number 145.30.62.1 of the NAThost 100 together with an allocated port number, namely 48324. This portnumber 48324 can be used for mapping the modified origin specificationonto the original origin specification, that is to say the IP address141.23.209.105:1245 of the computer 120. During this modification of theorigin specification of the data packet 160, the Voice-over-IP address180 however continues to remain 141.23.209.105:1245 and consequently thesame as the original IP address of the computer 120.

Said data packet 160 is forwarded to the computer 130 over the networkconnection 143. In turn said computer 130 receives the message and usesfor connection establishment the Voice-over-IP address present for therespective service, here Voice-over-IP, in the protocol data of the datapacket 160. As a result, however, the sent back data packet 161 of thecomputer 130 is addressed to the original IP address of the computer120. With the destination specification 171 of the data packet 161, thatis to say the IP address 141.23.209.105:1245, the reply therefore goeseither to an unknown IP address or to a different public computer whichis unable to do anything with this data packet. The illustrated problemis therefore that an address translation takes place at the NAT host 100which, although it modifies the origin specification 170 or destinationspecification 171 (the IP header) of the data packet 160 or 161respectively, it leaves untouched the relevant Voice-over-IP address 180for the Voice-over-IP service used. However it is specifically thisservice that addresses in the destination specification 171 of thereturning data packet 161 the IP address that was stored for the servicein the protocol data specified for it.

FIG. 2 now shows an arrangement according to the invention in which anNAT host 200 again connects an internal A to a public data network B.The NAT host 200 having the IP number 145.30.62.1 communicatesbidirectionally with an NAT address server 210, with NAT-Host 200 andNAT address server 210 being connected to an internal computer 220having the IP number 141.23.209.105 over network connections 240 and 242respectively. The NAT host and NAT address server can also run on thesame computer, but in order to illustrate the basic functioning of thearrangement according to the invention, they are shown separately here.The computer 220 is connected via the NAT host 200 to a further computer230 having the IP number 192.178.63.4.

In order to preclude the problem described above, the computer 220 firstsends a request over the network connection 240 to the NAT addressserver 210 for it to allocate a pre-NAT address 251 for its IP address250, in this case 141.23.209.105:1245. The NAT address server 210 firstdetermines an as yet unallocated pre-NAT address 251, which it thendispatches to the computer 220 over the network connection 240. Thepre-NAT address in the present exemplary embodiment is145.30.62.1:48324. The port number 48324 of the pre-NAT address can thusbe used for mapping onto the IP address 141.23.209.105:1245 of thecomputer 220. The IP number 145.30.62.1 of the pre-NAT address 251corresponds to the IP number of the NAT host 200 which is externallyvisible to the public network B.

In the next step, the computer 220 then sends a data packet 260 to theNAT host 200 in whose protocol data the assigned pre-NAT address145.30.62.1:48324 is found as Voice-over-IP address 280. The originspecification 270 in the header of the data packet (IP header) 260 is bycontrast the IP address of the computer 220, namely 141.23.209.105:1245.An address translation of the origin specification 270 of the datapacket is in turn performed on the NAT host 200, during whichtranslation the IP address of the computer 220 is [lacuna] for thepre-NAT address 145.30.62.1:48324 allocated by the NAT address server210. Following the assignment of the pre-NAT address by the NAT addressserver 210, this current allocation of the pre-NAT address to the IPaddress of the computer 220 (mapping) is notified to the NAT host 200over the network connection 241 or is requested by the NAT host 200. TheIP address of the internal computer 220 can now be traced back via themapping of the port number 48324 to the IP address of the internalcomputer 220, namely 141.23.209.105:1245.

In a further step, the data packet 260 is sent by the NAT host 200 tothe external computer 230 over the network connection 243. For sendingback the data packet 261, the Voice-over-IP service used there uses theVoice-over-IP address 280, which now corresponds to the pre-NAT address251, present in the protocol data as the destination specification 271.Said destination specification 271 is now 145.30.62.1:48324.

This addresses the NAT host 200 where, on the basis of the currentmapping, the destination specification 271 in the header of the datapacket (IP header) 261 is exchanged for the actual IP address of thecomputer 220, that is to say the pre-NAT address 145.30.62.1:48324 forthe IP address 141.23.209.105:1245. The data packet 261 can thus bemapped by the NAT host 200 to the computer 220 and sent to the latter.

In particular the H.323 or SIP protocol is used in the protocol data forthe Voice-over-IP connection establishment. As a consequence, thecommunication between one or more internal computers (multipointconnection) and one or more external computers on the basis of speech,audio, video and/or useful data is also always ensured by thearrangement for carrying out the method according to the invention.

It should be noted at this point that all the above-described elementsare claimed as essential to the invention both individually forthemselves and in every combination, in particular the detailsillustrated in the drawings. Variations of these are known to personsskilled in the art.

1. A method for the packet-oriented transmission of data between aninternal network and a public data network, said transmission of dataincluding a Network Address Translation (NAT) processing and furtherincluding protocol data arranged to resolve inconsistencies therein,said method comprising: sending a request of an internal multimediacomputer to an NAT address server for the provision of a pre-NAT addressfor an IP address of the internal computer; allocating a pre-NAT addressto the IP address of the internal computer by the NAT address server;sending a current allocation data set between the pre-NAT address andthe IP address of the internal computer from the NAT address server toan NAT host; sending the pre-NAT address of the internal computer fromthe NAT address server to the internal computer; introducing in a datapacket protocol data arranged to contain the pre-NAT address; sendingthe data packet with protocol data arranged to contain the pre-NATaddress from the internal computer to the NAT host; exchanging an originspecification in the header of the data packet, the specificationcontaining the IP address of the internal computer, for said pre-NATaddress contained in the protocol data; and forwarding the data packetby the NAT host to an externally addressed computer, wherein both theheader of the data packet and the protocol data of the data packet eachcontains said pre-NAT address.
 2. The method as claimed in claim 1,further comprising: receiving a data packet with the pre-NAT addressfrom the externally addressed computer by the NAT host; exchanging adestination specification in the header of the data packet (IP header),which specification contains the pre-NAT address, for the allocated IPaddress of the internal computer by the NAT host, using the currentallocation data set; forwarding the data packet by the NAT host to theinternally addressed computer.
 3. The method as claimed in claim 1,further comprising: requesting the current allocation data set from theNAT address server by the NAT host.